[
https://issues.apache.org/jira/browse/CASSANDRA-17502?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17514835#comment-17514835
]
C. Scott Andreas commented on CASSANDRA-17502:
----------------------------------------------
Tibor, thank you for bringing discussion on this feature to the mailing list
and proposing the feature in JIRA!
Project contributors have recently made an effort to update some areas of the
Apache Cassandra codebase to adopt inclusive language. Can I propose we discuss
this feature in terms of a "two-person rule" for authorization and
"administrator_1" rather than "admin_guy1" or similar?
Thanks!
> Security enforcement by enabling "two-man rule" authorization
> -------------------------------------------------------------
>
> Key: CASSANDRA-17502
> URL: https://issues.apache.org/jira/browse/CASSANDRA-17502
> Project: Cassandra
> Issue Type: New Feature
> Reporter: Tibor Repasi
> Priority: Normal
>
> Inspired by the
> [discussion|https://lists.apache.org/thread/4p92o2obvztkl12hvnrrmlw0cgtl391k]
> about improving security administration the idea came up to enforce "two-man
> rule" grant of roles.
> Explanation from [Wikipedia|https://en.wikipedia.org/wiki/Two-man_rule]:
> {quote}The two-man rule is a control mechanism designed to achieve a high
> level of security for especially critical material or operations. Under this
> rule access and actions require the presence of two or more authorized people
> at all times.
> {quote}
> The idea summarise as having an option - e.g. GRANTORS - on roles to define
> how many grantors does it need for a user to have a specific role granted.
> Think about a keyspace containing highly sensitive data (e.g. patientdata)
> and a role - patientdata_access - allowing its grantees to access the data.
> {code}
> CREATE KEYSPACE patientdata …;
> CREATE ROLE patientdata_access WITH GRANTORS=2;
> GRANT SELECT, MODIFY ON patientdata TO patientdata_access;
> CREATE ROLE security_admin;
> GRANT AUTHORIZE patientdata_access TO security_admin;
> GRANT security_admin TO admin_guy1;
> GRANT security_admin TO admin_guy2;
> GRANT security_admin TO admin_guy3;
> {code}
> Security admins are allowed to grant the role, but it would need at least two
> of them (as defined by GRANTORS) to do so to allow the user to actually
> access the data.
> Thus,
> {code}
> GRANT patientdata_access TO doctor_house;
> {code}
> must be conducted by at least two of the three admin_guys above.
> When GRANTORS defaults to 1, the default behaviour of roles doesn't change.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
